6.4 United States Cryptography Export/Import Laws

We remind the reader of the Legal Disclaimer in Section 6.1. For correct and updated information on United States cryptography export/import laws, contact the Bureau of Export Administration (BXA) (http://www.bxa.doc.gov/).

For many years, the U.S. government did not approve export of cryptographic products unless the key size was strictly limited. For this reason, cryptographic products were divided into two classes: products with "strong" cryptography and products with "weak" (that is, exportable) cryptography. Weak cryptography generally means a key size of at most 56 bits in symmetric algorithms, an RSA modulus of size at most 512 bits, and an elliptic curve key size of at most 112 bits (see Question 6.5.3). It should be noted that 56-bit DES and RC5 keys have been cracked (see Question 2.4.4), as well as a 512-bit RSA key (see Question 2.3.6).

In January 2000, the restrictions on export regulations were dramatically relaxed. Today, any cryptographic product is exportable under a license exception (that is, without a license) unless the end-users are foreign governments or embargoed destinations (Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Taleban-controlled areas of Afghanistan as of January 2000). Export to government end-users may also be approved, but under a license.